Uber’s Android app is not ‘literally malware’, despite what you may have read

A single blog post sparked a strange, worrying headline this week: “Uber’s app is literally malware,” proclaimed a thread on Hacker News.

Despite the blog post itself being oddly inflammatory, a number of media outlets have picked up the story’s claims that Uber may send unnecessary amounts of data back from your phone, like your private SMS’ and images stored on your phone.

Let’s nip this one in the bud: it’s incredibly unlikely that Uber’s app isany kind of malware, and from our investigations, the worries in the original post are unfounded. The majority of the permissions listed in the post that calls the company out for being too broad with permissions are required by Androidto do many of the app’s basic functions.

Despite what some are claiming, there’s no evidence that Uber accesses any data on your phone other than that used explicitly for the purpose of getting you a ride, nor does it send any of your SMS’, images or other data off your phone.

There’s no reason for Uber to collect data beyond what it needs; it’s certainly not in the company’s best interest.

As it turns out, Uber even has its own page that explains many of its own install permissions for this very reason. Let’s go over the list of permissions requested by the Uber app upon install, one by one and explain what each one does using the app’s functionality to guide us:

Location: Uber needs to know where you are so you can get picked up. Surprise!

Contacts: For splitting fares with friends, inviting friends to use Uber

Phone: To call your Uber driver or for them to call you

Camera/Microphone: Uber has a function that lets you take a photo of your credit card for scanning

Wi-Fi Connection: Checks if you have internet and attempts to use the WiFi name to help determine your location

Indeed, in a statement to Cult of Mac as an update to its story on the matter, Uber says “Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of course optional.”

Still worried? Fair enough; I did some digging to verify Uber’s not doing what the blog claimed it might be doing.

I set up my Android phone to have its traffic intercepted by my Mac for around 30 minutes. I monitored from when I downloaded it, to when I logged in and ordered a cab, as well as in the background. It’s not extensive, but it’s enough to see if anything fishy is going on.

Below you can see the most information that I saw Uber ever send off my device (note: this information was fully encrypted and is only readable as I added a certificate to the phone that allowed me to decrypt the data).

Uber sends back information like your location, phone number and email address — which is expected — along with data about your phone like the model number, OS version and serial number of the device. This information being used is incredibly valuable for development teams to help debug their apps when building them and can be found in most apps.

I couldn’t find any instance of Uber sending back any further detailed information than this, certainly not the SMS log or call history.

Perhaps the issue here isn’t apps asking for too many permissions, but instead the way they’re presented to the user. Android users continue to be scared away by permissions on the platform, when in reality they’re simply asking for details they need to perform basic functions.

In the blog post that started all of this, the writer himself notes “Maybe Uber evil [sic]. Maybe Uber isn’t sending a bunch of data off to their collection servers for harvesting. Maybe I’m just paranoid.”

For Uber on Android, there’s nothing to worry about. These permissions aren’t worrisome like they’re being made out to be.